It is actually easier to do trace spoofed traffic than you think.
If there is lots of it, like at attack, it will show up in netflow/cflowd
Records, giving away which routers the traffic passed through, and which
Interfaces.
Cisco's 'Cisco Express Forwarding' permits tracing the flow of packets, you
can in effect say, which interface does the next 192.168.0.0 packet come in
on, and where did I send it.
The TTL, if not specifically set by the attacker, is a good indication of
source. As each OS uses a known TTL, you can second-guess that a TTL of 100
at the receiver was originally 128 when sent.
As for getting neighbour ISPs to do something - if it's a transit link, the
ISP can tell the provider to stop sending them 192.168 crap - which
otherwise the ISP would pay for. For peering relationships, which are
usually (but not always) symbiotic, if the ISP threatens to drop the peering
link "because you send me too much junk", the peer will tend to fix the
problem.
Dom
Dom De Vitto CISSP, dom at devitto.com
-----Original Message-----
From: list-bounces at lists.dshield.org [mailto:list-bounces at lists.dshield.org]
On Behalf Of Stephane Grobety
Sent: 02 May 2005 15:02
To: General DShield Discussion List
Subject: Re[2]: [Dshield] routing 192.168...?
Hello Daniel,
IPs with private source addresses are only blocked by ISP's that do
some form of egress filtering and even then, it's not always the case
and most often only at the periphery.
It's a shame really: that kind of filtering would really cut down the
nuisance capacity of machines inside the ISP's own network but, on the
other hand, it's not really a sales argument, it costs money. So few
are doing it and far from enough for filtering to be really effective.
You can check the TTL by looking at the raw IP headers (for instance,
with etehreal). But it won't tell you much as you'll only have the
final value, not the initial one, and therefore cannot know the exact
number of hops.
The best would be to setup your router to drop all packets with a
private IP in the source field that hits the external interface. if
that's not possible, then I'm afraid you'll have to live with it:
tracing spoofed traffic is next to impossible. Trust me, I know: for 8
month, some Dutch idiot tried to use my DNS server as a traffic
amplifier by sending it requests for the root with a spoofed IP
address (the actual victim). I was unable to trace the traffic and my
ISP refused to even persue it (I can't blame them, really: in order to
do that, you have to follow the phisical path of the packets to know
what gateway they come from and then ask the next party to do the same
until you reach the source).
Good luck,
Stephane
Monday, May 2, 2005, 6:09:56 AM, you wrote:
DC> Hi Chris,
DC> I know that the source is not use for routing but I thought that private
DC> addresses are suppose to be block by ISPs.
DC> Not mandatory but, they should. After all an ISP could use that address
DC> on their own private network ?
DC> How can I check the TTL ? It append 28 times today. For me the source
DC> become that private address, no routing possible.
DC> My fisrt line is a router/firewall, everything is block, I then have
DC> ZoneAlarm in every machine.
--
Best regards,
Stephane mailto:security at admin.fulgan.com
-------------- Sponsor Message ------------------------------------
Join us at SANSFIRE 2005 in Atlanta!
The Internet Storm Center Conference.
Details: http://www.sans.org/sansfire2005
_______________________________________________
send all posts to list at lists.dshield.org
To change your subscription options (or unsubscribe), see:
http://www.dshield.org/mailman/listinfo/list